That being said, the bug we are talking about right now is actually a local privilege escalation (LPE) flaw inside the Windows User Profile service. Microsoft first acknowledged this vulnerability with the ID CVE-2021-34484 and received a CVSS v3 score of 7.8, and it was supposedly patched through the August 2021 Patch Tuesday update.
CVE-2021-34484 finally got fixed
Security researcher Abdelhamid Naceri, who first dug up this vulnerability back in 2021, was able to bypass the Microsoft-provided security patch. Microsoft issued its next fix via the January 2022 Patch Tuesday but Naceri once again was able to get around it on all Windows versions except Server 2016. 0patch, which often issues unofficial micropatches for various security bugs, found that its micropatch was not exploitable by this threat. A certain profext.dll DLL file issued by 0patch was able to fix the issue. However, Microsoft seemingly modified this DLL file and nullified the patch, making users’ systems vulnerable again. CVE-2021-34484 is again a 0day on supported Windows versions. Affected Windows computers whose official support had already ended (Windows 10 v1803, v1809, and v2004) and have 0patch, did not have this vulnerability reopened. The security team at 0patch ported their micropatch to the latest profext.dll on the following Windows versions: The above-mentioned patch can be faound on their blog, but keep in mind that this is an unofficial workaround. What is your opinion on this entire situation? Share your thoughts with us in the comments section below.
Name *
Email *
Commenting as . Not you?
Save information for future comments
Comment
Δ